Deploy PowerShell Scripts using SCCM 1706

Beginning with SCCM 1706, you can now run and deploy Powershell script from the SCCM console. In addition, all directly from the SCCM console you can: edit your scripts, import existing scripts, approved or deny scripts, run script on specific collections and examine the scripts results. This can be useful to run a script quickly without the burden of creating a package or an application.

Unlike standard deployments, when you deploy scripts, they are run almost immediately using Client Operations.

This feature is still in pre-release version and needs to be enabled manually before using it.

Prerequisites for SCCM Deploy PowerShell Script

Before using scripts on your clients you need :

• SCCM 1706
• Create and Run scripts pre-release features enabled
• Targeted clients must have client version 1706+
• Clients must be running PowerShell v3.0+
• Have the necessary SCCM permissions

Enable Create and Run Scripts Feature

• Open the SCCM Console
• Go to your Administration / Site / Hierarchy Setting
• Ensure that you have the Consent to use Pre-Release features enabled. You’ll also notice a new option for script approval there
• Click Ok

• Go to Administration / Updates and Servicing / Features
• Right-click Create and run scripts select Turn On

• On the warning, click Yes

• Close the Console and reopen it
• You’ll have a new Script Node under Software Library

SCCM Security Role Permission

To approve, create and deploy scripts, your user must have the required SMS Script permission. You have those rights only in the Full Administrator role or when creating a custom security role.

[x_alert heading=”Note” type=”info”]The run script rights are under Collections / ResID:RunScript[/x_alert]

Create a Script

Let’s create our first script.

• In the Software Library / Scripts node
• Right-Click Scripts and select Create Script

• Give your script a name, select your language (PowerShell only…for now)
• Click Import if you already have a saved script or use the available text box to write your script

• In the Summary screen, click Next

• In the Completion screen, click Close

• Your script is created and needs to be approved before it can be deployed

Approve Script

We now need to approve the script. If you can’t approve your own script, see the previous section to disable the option in your Hierarchy Settings. That’s an interesting feature that assures that you are controlling the script that can be deployed.

• Right-Click your script and select Approve/Deny

• Review the script and make sure that it’s ok

• Select Approve and put a comment if needed

• In the Summary screen, click Next

• In the Completion screen, click Close

Run Script

A script can be run on a collection or on a single device. Once the script is deployed it’s given 1-hour windows to run on the computer. If it’s offline during that period, the script will need to be run again. Make sure that the clients have the necessary requirements. (See Prerequisites section at the top of this post)

• Select your collection or device and select Run Script

• Select your script. Only approved scripts are listed

• Review your settings and click Next

• Click Close

Monitoring

We’ll now check if the script has run successfully on our device :

• Monitor the script deployment statistics under Monitoring / Client Operation
• You can see that 1 client has run it and has 1 success

• Monitor the script execution statistics un Monitoring / Script Status
• You can see the Script Execution State, the Exit Code and the Output

Verification

• The client downloads the script locally in C:\Windows\CCM\ScriptStore

The name of the script contains the script GUID. It can be found in the SCCM Console by adding the Script GUID column

• Log file for the script will be located in C:\Windows\CCM\logs\Scipts.log